Method and arrangement for providing security through network address translations using tunneling and compensations

ABSTRACT

This invention provides a method for providing network security services, such as those provided by the IPSEC protocol, through network address translation (NAT). The method is based on determining the transformations that occur on a packet and compensating for the transformations. Because only TCP and UDP protocols work through NATs, the IPSEC AH/ESP packets are encapsulated into UDP packets for transport. Special operations are performed to allow reliable communications in such environments.

CROSS REFERENCE TO RELATED APPLICATION

This application is a continuation of U.S. application Ser. No.11/128,933, filed May 12, 2005, now U.S. Pat. No. 8,127,348, which is acontinuation of U.S. application Ser. No. 09/333,829, filed Jun. 15,1999, now U.S. Pat. No. 6,957,346. The entire contents of bothapplications are incorporated herein by reference in their entireties.

TECHNOLOGICAL FIELD

The invention relates in general to the field of secure communicationsbetween computers in packet-switched data transmission networks. Moreparticularly the invention relates to the field of setting up andmaintaining secure communication connections through a Network AddressTranslation or protocol conversion.

BACKGROUND OF THE INVENTION

The Internet Engineering Task Force (IETF) has standardized the IPSEC(Internet Protocol Security) protocol suite; the standards are wellknown from the Request For Comments or RFC documents number RFC2401,RFC2402, RFC2406, RFC2407, RFC2408 and RFC2409 mentioned in the appendedlist of references, all of which are hereby incorporated by reference.The IPSEC protocols provide security for the IP or Internet Protocol,which itself has been specified in the RFC document number RFC791. IPSECperforms authentication and encryption on packet level by generating anew IP header, adding an Authentication Header (AH) or EncapsulatingSecurity Payload (ESP) header in front of the packet. The originalpacket is cryptographically authenticated and optionally encrypted. Themethod used to authenticate and possibly encrypt a packet is identifiedby a security parameter index (SPI) value stored in the AH and ESPheaders. The RFC document number RFC2401 specifies a transport mode anda tunnelling mode for packets; the present invention is applicableregardless of which of these modes is used.

In recent years, more and more vendors and Internet service providershave started performing network address translation (NAT). References toNAT are found at least in the RFC document number RFC1631 as well as thedocuments which are identified in the appended list of references asSrisuresh98Terminology, SrisureshEgevang98, Srisuresh98Security,HoldregeSrisuresh99, TYS99, Rekhter99, LoBorella99 and BorellaLo99.There are two main forms of address translation, illustratedschematically in FIGS. 1 a and 1 b: host NAT 101 and port NAT 151. HostNAT 101 only translates the IP addresses in an incoming packet 102 sothat an outgoing packet 103 has a different IP address. Port NAT 151also touches the TCP and UDP port numbers (Traffic Control Protocol;User Datagram Protocol) in an incoming packet 152, multiplexing severalIP addresses to a single IP address in an outgoing packet 153 andcorrepondingly demultiplexing a single IP address into several IPaddresses for packets travelling in the opposite direction (not shown).Port NATs are especially common in the home and small officeenvironment. The physical separation of input and output connections forthe NAT devices is only shown in FIGS. 1 a and 1 b for graphicalclarity; in practice there are many possible ways for physicallyconnecting a NAT.

Address translation is most frequently performed at the edge of a localnetwork (i.e., translation between multiple local private addresses onone hand and fewer globally routable public addresses on the other).Most often, port NAT is used and there is only one globally routableaddress. A local network 154 has been schematically illustrated in FIG.1 b. Such arrangements are becoming extremely commonplace in the homeand small office markets. Some Internet service providers have alsostarted giving private addresses to their customers, and perform addresstranslation in their core networks for such addresses. In general,network address translation has been widely discussed in depth e.g. inthe NAT working group within the Internet Engineering Task Force. Theoperating principles of a NAT device are well known, and there are manyimplementations available on the market from multiple vendors, includingseveral implementations in freely available source code. The typicaloperation of a NAT may be described so that it maps IP address and portcombinations to different IP address and port combinations. The mappingwill remain constant for the duration of a network connection, but maychange (slowly) with time. In practice, the NAT functionality is oftenintegrated into a firewall or a router.

FIG. 1 c illustrates an exemplary practical network communicationsituation where a transmitting node 181 is located in a first local areanetwork (also known as the first private network) 182, which has a portNAT 183 to connect it to a wide-area general packet-switched network 184like the Internet. The latter consists of a very large number of nodesinterconnected in an arbitrary way. A receiving node 185 is located in asecond local area network 186 which is again coupled to the wide-areanetwork through a NAT 187. The denominations “transmitting node” and“receiving node” are somewhat misleading, since the communicationrequired to set up network security services is bidirectional. Thetransmitting node is the one that initiates the communication. Also theterms “Initiator” and “Responder” are used for the transmitting node andthe receiving node respectively.

The purpose of FIG. 1 c is to emphasize the fact that the communicatingnodes are aware of neither the number or nature of the intermediatedevices through which they communicate nor the nature of transformationsthat take place. In addition to NATs, there are other types of deviceson the Internet that may legally modify packets as they are transmitted.A typical example is a protocol converter, whose main job is to convertthe packet to a different protocol without disturbing normal operation.Using them leads to problems very similar to the NAT case. A fairlysimple but important example is converting between IPv4 and IPv6, whichare different versions of the Internet Protocol. Such converters will beextremely important and commonplace in the near future. A packet mayundergo several conversions of this type during its travel, and it ispossible that the endpoints of the communication actually use adifferent protocol. Like NAT, protocol conversion is often performed inrouters and firewalls.

It is well known in the IPSEC community that the IPSEC protocol does notwork well across network address translations. The problem has beendiscussed at least in the references given as HoldregeSrisuresh99 andRekhter99.

In the Finnish patent application number 974665 and the correspondingPCT application number FI98/01032, which are incorporated herein byreference, we have presented a certain method for performing IPSECaddress translations and a method for packet authentication that isinsensitive to address transformations and protocol conversions en routeof the packet. Additionally in said applications we have presented atransmitting network device and a receiving network device that are ableto take advantage of the aforementioned method. However, some problemsrelated to the provision of network security services over networkaddress translation remain unsolved in said previous patentapplications.

SUMMARY OF THE INVENTION

It is an object of the present invention to present a method and thecorresponding devices for providing network security services overnetwork address translation in a reliable and advantageous way.

According to a first aspect of the invention there is therefore provideda method for securely communicating packets between a first computerdevice and a second computer device through a packet-switched datatransmission network comprising intermediate computer devices, where atleast one of said computer devices performs a network addresstranslation and/or a protocol conversion, the method comprising thesteps of

-   -   determining what network address translations, if any, occur on        packets transmitted between the first computer device and the        second computer device,    -   taking packets conforming to a first protocol and encapsulating        them into packets conforming to a second protocol, which second        protocol is capable of traversing network address translations,    -   transmitting said packets conforming to said second protocol        from the first computer device to the second computer device and    -   decapsulating said transmitted packets conforming to said second        protocol into packets conforming to said first protocol.

According to a second aspect of the invention there is provided a methodfor conditionally setting up a secure communication connection between afirst computer device and a second computer device through apacket-switched data transmission network comprising intermediatecomputer devices, where at least one of said computer devices performs anetwork address translation and/or a protocol conversion, the methodcomprising the steps of

-   -   finding out, whether or not the second computer device supports        a communication method where: it is determined what network        address translations, if any, occur on packets transmitted        between the first computer device and the second computer        device; packets are taken that conform to a first protocol and        encapsulated into packets that conform to a second protocol,        which second protocol is capable of traversing network address        translations; said packets conforming to said second protocol        are transmitted from the first computer device to the second        computer device; and said transmitted packets conforming to said        second protocol are decapsulated into packets conforming to said        first protocol,    -   as a response to a finding indicating that the second computer        device supports said communication method, setting up a secure        communication connection between the first computer device and        the second computer device in which communication connection        said communication method is employed and    -   as a response to a finding indicating that the second computer        device does not support said communication method, disabling the        use of said communication method between the first and the        second computer devices.

According to a third aspect of the invention there is provided a methodfor tunnelling packets between a first computer device and a secondcomputer device through a packet-switched data transmission networkcomprising intermediate computer devices, where at least one of saidcomputer devices performs a network address translation and/or aprotocol conversion, the method comprising the steps of

-   -   taking packets conforming to a first protocol and encapsulating        them at the first computer device into packets conforming to a        second protocol, which second protocol is capable of traversing        network address translations,    -   transmitting said packets conforming to said second protocol        from the first computer device to the second computer device,    -   decapsulating said transmitted packets conforming to said second        protocol into packets conforming to said first protocol at the        second computer device,    -   generating response packets conforming to said first protocol        and encapsulating them at the second computer device into        response packets conforming to said second protocol,    -   transmitting said response packets conforming to said second        protocol from the second computer device to the first computer        device,    -   decapsulating said transmitted response packets conforming to        said second protocol into packets conforming to said first        protocol at the first computer device,    -   using the response packets at the first computer device to        obtain information about the address translations occurred on        packets transmitted between the first computer device and the        second computer device and    -   using said obtained information to modify the operation of the        tunnelling of packets between the first computer device and the        second computer device.

According to a fourth aspect of the invention there is provided a methodfor tunnelling packets between a first computer device and a secondcomputer device through a packet-switched data transmission networkcomprising intermediate computer devices, in which data transmissionnetwork there exists a security protocol comprising a key managementconnection that employs a specific packet format for key managementpackets, the method comprising the steps of

-   -   encapsulating data packets that are not key management packets        into said specific packet format for key management packets,    -   transmitting said data packets encapsulated into the specific        packet format from the first computer device to the second        computer device,    -   discriminating at the second computer device the data packets        encapsulated into the specific packet format from actual key        management packets and    -   decapsulating the data packets encapsulated into the specific        packet format.

According to a fifth aspect of the invention there is provided a methodfor securely communicating packets between a first computer device and asecond computer device through a packet-switched data transmissionnetwork comprising intermediate computer devices, where at least one ofsaid computer devices performs a network address translation and/or aprotocol conversion and where a security protocol exists comprising akey management connection, the method comprising the steps of

-   -   for determining what network address translations, if any, occur        on packets transmitted between the first computer device and the        second computer device: establishing a key management connection        according to said security protocol between the first computer        device and the second computer device; composing an indicator        packet with a header part and a payload part of which both        comprise the network addresses of the first computer device and        the second computer device as seen by the node composing said        packet; transmitting and receiving said indicator packet within        the key management connection; and comparing in the received        indicator packet the addresses contained in the header part and        the payload part, and    -   using the information concerning the determined occurrences of        network address translations for securely communicating packets        between the first computer device and the second computer        device.

According to a sixth aspect of the invention there is provided a methodfor securely communicating packets between a first computer device and asecond computer device through a packet-switched data transmissionnetwork comprising intermediate computer devices, where at least one ofsaid computer devices performs a network address translation and/or aprotocol conversion; where a security protocol is acknowledged whichdetermines transport-mode processing of packets for transmission andreception; and where a high-level protocol checksum has been determinedfor checking the integrity of received packets, the method comprisingthe steps of

-   -   at the first computer device, performing transport-mode        processing for packets to be transmitted to the second computer        device,    -   at the second computer device, performing transport-mode        processing for packets received from the first computer device,        said transport-mode processing comprising the decapsulation of        received packets and    -   at the second computer device, updating the high-level protocol        checksum for decapsulated packets for compensating for changes,        if any, caused by network address translations.

According to a seventh aspect of the invention there is provided amethod for maintaining the unchanged form of address translationsperformed by network address translation devices on encapsulated datatransmission packets communicated between a first computer device and asecond computer device through a packet-switched data transmissionnetwork, the method comprising the steps of

-   -   determining which address translations occur on actual data        packets transmitted with certain address information between the        first computer device and the second computer device through the        packet-switched data transmission network and    -   forcing at least one of the first computer device and the second        computer device to transmit to the other computer device        keepalive packets with address information identical to that of        actual data packets at a high enough frequency so that network        address translation devices constantly reuse the mappings used        for network address translation even when a certain fraction of        the packets communicated between the first computer device and        the second computer device are lost in the network.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 a illustrates the known use of a host NAT,

FIG. 1 b illustrates the known use of a port NAT,

FIG. 1 c illustrates a known communication connection between nodesthrough a packet-switched network,

FIG. 2 a illustrates a certain Vendor ID payload applicable within thecontext of the invention,

FIG. 2 b illustrates a certain private payload applicable within thecontext of the invention,

FIG. 2 c illustrates a certain combined header structure applicablewithin the context of the invention,

FIG. 3 illustrates certain method steps related to the application ofthe invention,

FIG. 4 illustrates a transformation of header structures according to anaspect of the invention, and

FIG. 5 illustrates a simplified block diagram of a network device usedto implement the method according to the invention.

DETAILED DESCRIPTION OF THE INVENTION

The present invention combines and extends some of the methods ofnetwork address translation, tunneling over UDP, IKE, and the IKEextension mechanisms, in a novel and inventive way to produce a methodfor secure communications across network address translations andprotocol conversions. The method can be made fully automatic andtransparent to the user.

A key point relating to the applicability of the invention is that—atthe priority date of the present patent application—in general only TCP(described in RFC793, which is hereby incorporated by reference) and UDP(described in RFC768, which is hereby incorporated by reference) workover NAT. This is because most NATs used in practise are port NATs, andthis is the form of NAT that provides most benefits with regards to theshortage of globally routable IP addresses. The invention is not,however, limited to the use of UDP and TCP as they are known at thepriority date of this patent application: in general it may be said thatUDP and TCP are examples of protocols that determine that connectionidentification information (i.e. addressing and port numbering) that ismapped into another form in the address transformation process. We mayexpect that other kinds of communication protocols and addresstransformations emerge in the future.

The various aspects of the invention are related to

-   -   determining whether a remote host supports a certain method        which is typically a secure communication method according to        the invention (the “methods supported” aspect),    -   determining what network address translations and/or protocol        conversions occur on packets, if any (the “occurring        translations” aspect),    -   tunneling packets inside a certain carefully selected protocol,        typically UDP, to make them traverse NATs (the “selected        tunnelling” aspect),    -   using a keepalive method to make sure that involved NAT devices        and other devices that use timeouts for mappings do not lose the        mapping for the communicating hosts (the “keepalive” aspect),    -   compensating for the translations that occur before verifying        the message authentication code for AH packets (the        “compensation/authentication” aspect) and    -   performing address translations at either the sending or        receiving node to compensate for multiple hosts being mapped to        a single public address (the “compensation/mapping” aspect).

The process of encapsulating data packets for transmission over adifferent logical network is called tunneling. Typically, in the case ofthe IP protocol, tunneling involves adding a new IP header in front ofthe original packet, setting the protocol field in the new headerappropriately, and sending the packet to the desired destination(endpoint of the tunnel). Tunneling may also be implemented by modifyingthe original packet header fields or replacing them with a differentheader, as long as a sufficient amount of information about the originalpacket is saved in the process so that it will be possible toreconstruct the packet at the end of the tunnel into a form sufficientlysimilar to the original packet entering the tunnel. The exact amount ofinformation that needs to be passed with the packet depends on thenetwork protocols, and information may be passed either explicitly (aspart of the tunnelled packet) or implicitly (by the context, asdetermined e.g. by previously transmitted packets or a contextidentifier in the tunneled packet).

It is well known in the art how to tunnel packets over a network. Atleast the references given as RFC1226, RFC1234, RFC1241, RFC1326,RFC1701, RFC1853, RFC2003, RFC2004, RFC2107, RFC2344, RFC2401, RFC2406,RFC2473 and RFC2529 (all of which are hereby incorporated by reference)relate to the subject of tunneling. For example, RFC1234 presents amethod of tunneling IPX frames over UDP. In that method, packets aretunneled to a fixed UDP port and to the decapsulator's IP address.

The IPSEC protocol mentioned in the background description typicallyuses the Internet Key Exchange or IKE protocol (known from referencesRFC2409, RFC2408 and RFC2407, all of which are hereby incorporated byreference) for authenticating the communicating parties to each other,deriving a shared secret known only to the communicating parties,negotiating authentication and encryption methods to be used for thecommunication, and agreeing on a security parameter index (SPI) valueand a set of selectors to be used for the communication. The IKEprotocol was previously known as the ISAKMP/Oakley, where the acronymISAKMP comes from Internet Security Association Key Management Protocol.Besides said normal negotiation specified in the IKE standard, IKEsupports certain mechanisms for extension. The Vendor ID payload knownfrom reference RFC2408, which is hereby incorporated by reference,allows communicating parties to determine whether the other partysupports a particular private extension mechanism. The IPSEC DOI (Domainof Interpretation) known as RFC2407, which is hereby incorporated byreference, reserves certain numeric values for such private extensions.

Currently, the well-known Vendor ID payload is defined to have theformat illustrated in FIG. 2 a, where the column numbers correspond tobit positions. For the purposes of the present invention the Vendor IDfield 201 is the most important part of the Vendor ID payload. In thecontext of the IKE protocol, negotiating whether the remote hostsupports a certain method for providing secure network communicationscan be performed as follows. The terminology used here is borrowed fromthe IKE documents.

The IKE protocol determines the so-called Phase 1 of the mutual exchangeof messages between the Initiator (i.e., the node first sending a packetto the other) and the Responder (i.e., the node first receiving apacket). FIG. 3 illustrates an exchange of first Phase 1 messagesbetween the Initiator and the Responder. According to the “methodssupported” aspect of the invention both devices include a certain VendorID Payload in a certain Phase 1 message which is most advantageouslytheir first Phase 1 message. This payload indicates that they supportthe method in question.

In FIG. 3 the Vendor ID fields contained within the Initiator's first(or other) Phase 1 message is schematically shown as 201′ and the VendorID fields contained within the Responder's first (or other) Phase 1message is schematically shown as 201″. To indicate support for acertain method the Vendor ID field in the Vendor ID Payload is basicallyan identification of that method: advantageously it is the MD5 hash of apreviously known identification string, e.g. “SSH IPSEC NAT TraversalVersion 1”, without any trailing zeroes or newlines. Producing MD5hashes of arbitrary character sequences is a technique well known in theart for example from the publication RFC1321, which is herebyincorporated by reference, mentioned in the list of references.

Next we will address the “occurring translations” aspect of theinvention. In addition to the above-mentioned Phase 1, the IKE protocoldetermines the so-called Phase 2 of the mutual exchange of messagesbetween the Initiator and the Responder. According to the “occurringtranslations” aspect of the invention the parties can determine whichtranslations occur by including the IP addresses they see in privatepayloads of certain Phase 2 Quick Mode messages, which are mostadvantageously their first Phase 2 Quick Mode messages. Any unusednumber in the private payload number range can be used to signify suchuse of the private payload (e.g. 157, which is unused at the prioritydate of the present patent application).

The private payload used to reveal the occurring translations can havee.g. the format illustrated in FIG. 2 b. Field 211 contains a type codethat identifies the types of the addresses that appear in fields 212 and213. Field 212 contains the address of the Initiator as seen by the nodesending the message, and field 213 contains the address of the Responderas seen by the node sending the message. FIG. 3 shows the exchange of(first) Phase 2 Quick Mode messages between the Initiator and theResponder so that the corresponding fields 211′, 212′ and 213′ areincluded in the message sent by the former and the fields 211″, 212″ and213″ are included in the message sent by the latter.

According to known practice the addresses of the Initiator and Responderare also included in the header of the packet that contains the payloadof FIG. 2 b. In the header they are susceptible to address translationsand other processing whereas in the private payload they are not. Whenthe packet with the payload of FIG. 2 b is received, the addressescontained in it are compared with those seen in the packet header. Ifthey differ, then an address translation occurred on the packet. Laterwe will refer to the use of the standard IKE port number 500 togetherwith applying the invention; as an additional way of detecting occurredtranslations the port numbers of the received packet can also becompared against the standard IKE port number 500 to determine if porttranslations occurred.

An aspect of some importance when handling the addresses is that the UDPsource port of the packet can be saved for later use. It would usuallybe saved with the data structures for Phase 1 ISAKMP securityassociations, and would be used to set up compensation processing forPhase 2 IPSEC security associations.

To use the method described above to implement the “occurredtranslations” aspect of the invention, the hosts must modify their Phase2 identification payloads: the payload illustrated in FIG. 2 b is notknown in the existing standards. One possibility is to restrict thepayloads to the ID_IPV4_ADDR and ID_IPV6_ADDR types, which would beappropriate for host-to-host operation.

Next we will address the “selected tunnelling”,“compensation/authentication” and “compensation/mapping” aspects of theinvention. According to this aspect of the invention the actual datapackets can be tunneled over the same connection which is used to set upthe security features of the communication connection, e.g. the UDPconnection used for IKE. This ensures that the actual data packets willexperience the same translations as the IKE packets did when thetranslation was determined. Taken that the standard port number 500 hasbeen determined for IKE, this would mean that all packets are sent withsource port 500 and destination port 500, and a method is needed todistinguish the real IKE packets from those containing encapsulateddata. One possible way of doing this takes advantage of the fact thatthe IKE header used for real IKE packets contains an Initiator Cookiefield: we may specify that Initiators that support this aspect of theinvention never generate cookies that have all zeroes in their fourfirst bytes. The value zero in the corresponding four bytes is then usedto recognize the packet as a tunneled data packet. In this way, tunneleddata packets would have four zero bytes at the beginning of the UDPpayload, whereas real IKE packets never would.

FIG. 4 illustrates the encapsulation of actual IPSEC packets into UDPfor transmission. Basically, a UDP header 403 and a short intermediateheader 404 are inserted after the IP header 401 already in the packet(with the protocol field copied to the intermediate header). The IPheader 401 is slightly modified to produce a modified IP header 401′.The IP payload 402 stays the same. The simple illustration of theunencapsulated IPSEC packet on the left should not be misinterpreted:this packet is not plaintext but has been processed according to AH orESP or corresponding other transformation protocol in the sending nodebefore its encapsulation into UDP.

Without limiting the generality, it is assumed in the presentation herethat the encapsulation according to FIG. 4 is always performed by thesame nodes that perform IPSEC processing (either an end node or a VPNdevice). It should also be noted that instead of encapsulating the IPSECpackets into UDP they could be encapsulated into TCP. This alternativewould probably require using fake session starts and ends so that thefirst packet has the SYN bit and the last packet has the FIN bit, asspecified in the TCP protocol.

In encapsulating an actual data packet or a “datagram” according to FIG.4, the original IP header 401—defined in RFC791, which is herebyincorporated by reference,—is modified to produce the modified IP header401′ as follows:

-   -   the Protocol field in the IP header (not separately shown) is        replaced by protocol 17 for UDP in accordance with RFC768, which        is hereby incorporated by reference,    -   the Total Length field in the IP header (not separately shown)        is incremented by the combined size of the UDP and intermediate        headers (total 16 bytes) and    -   the Header Checksum field in the IP header (not separately        shown) is recomputed in accordance with the rules given in        RFC791, which is hereby incorporated by reference.

As seen from FIG. 4, an UDP header 403—as defined in RFC768, which ishereby incorporated by reference,—and an intermediate header 404 areinserted after the IP header. The UDP header is 8 octets and theintermediate header is 8 octets, for a total of 16 octets. These headersare treated as one in the following discussion. The combined header hasmost advantageously the format illustrated in FIG. 2 c. Fields of thisheader are set as follows:

-   -   The Source Port field 221 is set to 500 (same as IKE). If the        packet goes through NAT, this may be different when the packet        is received.    -   The Destination Port field 222 is set to the port number from        which the other end appears to be sending packets. If the packet        goes through NAT, the recipient may see a different port number        here.    -   The UDP Length field 223 is the length of the UDP header plus        the length of the UDP data field. In this case, it also includes        the intermediate header. The value is computed in bytes as 16        plus the length of the original IP packet payload (not including        the original IP header, which is included in the Length field in        the IP header).    -   The UDP Checksum field 224 is most advantageously set to 0. The        UDP checksum is optional, and we do not wish to calculate or        check it with this tunneling mechanism. Integrity of the data is        assumed to be protected by an AN or ESP header within the        tunneled packet.    -   The Must be zero field 225: This field must contain a previously        agreed fixed value, which is most advantageously all zeroes. The        field overlaps with the first four bytes of the Initiator Cookie        field in an actual IKE header. Any Initiator that supports this        aspect of the invention must not use a cookie where the first        four bytes are zero. These zero bytes are used to separate the        tunneled packets from real ISAKMP packets. Naturally some other        fixed value than “all zeroes” could be chosen, but the value        must be fixed for this particular use.    -   Protocol field 226: The value of this field is copied from the        known Protocol field in the original IP header (not separately        shown in FIG. 4).    -   Reserved field 227: most advantageously sent as all zeroes;        ignored on reception.

The sender inserts this header in any packets tunneled to a destinationbehind NAT. Information about whether NAT is used can be stored on a perSA (Security Association) basis in the policy manager. The encapsulationreferred to in FIG. 4 can be implemented either as a new transform or aspart of the otherwise known AH and ESP transforms.

The encapsulation operation makes use of the UDP port number and IPaddress of the remote host, which were determined during the IKEnegotiation.

The receiver decapsulates packets from this encapsulation before doingAH or ESP processing. Decapsulation removes this header and updates theProtocol, Length, and Checksum fields of the IP header. No configurationdata (port number etc.) is needed for this operation.

The decapsulation should be performed only if all of the followingselectors match:

-   -   destination address is the destination address of this host,    -   source address is the address of a host with which this host has        agreed to use this tunnelling,    -   the Protocol field indicates UDP,    -   the Destination port field value is 500 and    -   the Source port field value indicates the port with which this        host has    -   agreed to use this tunneling. (Note that there may be multiple        source addresses and ports for which this tunneling is        performed; each of them is treated by a separate set of        selectors.)

During decapsulation the source address in the received packet can bereplaced by the real source address received during the IKE negotiation.This implements the compensation for AH MAC verification. The address isagain changed in the post-processing phase below. Because of thiscompensation, the standard AH and ESP transforms can be used unmodified.

In FIG. 3 the AH/ESP processing at the sending node is schematicallyshown as block 301, encapsulation of datagrams into UDP is schematicallyshown as block 302, the corresponding decapsulation of datagrams fromUDP is schematically shown as block 303 and AH/ESP processing at thereceiving node is schematically shown as block 304.

Additional compensation must be done after the packet has beendecapsulated from AH or ESP. This additional decapsulation must dealwith the fact that the outer packet actually went through NAT(illustrated schematically in FIG. 3 as block 305), and consequently theplaintext packet must also undergo a similar transformation. Therecipient must see the address of the NAT device as the address of thehost, rather than the original internal address. Alternatively, thiscompensation could have been performed by the sender of the packetbefore encapsulating it within AH or ESP.

There are several alternatives for this additional compensation forvarious special cases (the best compensation depends on the particularapplication):

-   -   Allocating a range of network addresses for this processing        (say, in the link-local use range 169.254.x.x—the actual values        do not matter; basically we just want an arbitrary network that        no-one else is using). An address in this range is allocated for        each <natip, ownip, natport, ownport> combination, where natip        means the IP address of the NAT, ownip means the processing        device's own IP address, natport means the port number at the        NAT and ownport means the processing device's own port number.        The remote address in the packet is replaced by this address        before the packet is sent to protocol stacks.    -   As part of the compensation, the TCP checksum for internal hosts        must be recomputed if host addresses or port numbers changed.        TCP checksum computations may also be incremental, as is known        from RFC1071, which is hereby incorporated by reference. Port        NAT may need to be performed for the source port.    -   When used as a VPN between two sites using incompatible        (possibly overlapping) private address spaces, address        translation must be performed to make the addresses compatible        with local addresses.    -   When used as a VPN between two sites using compatible        (non-overlapping) private address spaces, and tunnel mode is        used, no additional compensation may be needed.    -   Address translation may need to be performed for the contents of        certain protocol packets, such as FTP (known from RFC959, which        is hereby incorporated by reference) or H.323. Other similar        issues are discussed in the reference given as        HoldregeSrisuresh99.    -   It may also be possible to use random addresses for the client        at the server, and perform address translation to this address.        This could allow the server to distinguish between multiple        clients behind the same NAT, and could avoid manual        configuration of the local address space.    -   The compensation operation may or may not interact with the        TCP/IP stack on the local machine to reserve UDP port numbers.

In general, this invention does not significantly constrain the methodused to compensate for inner packets the NAT occurring for the outerheader. The optimal method for performing such compensation may be foundamong the above-given alternatives by experimenting, or some otheroptimal method could be presented.

Next we will address the “keepalive” aspect of the invention, i.e.ensuring that the network address translations performed in the networkdo not change after the translations that occur have been determined.Network address translators cache the information about address mapping,so that they can reverse the mapping for reply packets. If TCP is used,the address translator may look at the FIN bit of the TCP header todetermine when it can drop a particular mapping. For UDP, however, thereis no explicit termination indication for flows. For this reason, manyNATs will time out mappings for UDP quite fast (even as fast as in 30seconds). Thus, it becomes necessary to force the mapping to bemaintained.

A possible way of ensuring the maintaining of mappings is to sendkeepalive packets frequently enough that the address translation remainsin the cache. When computing the required frequency, one must take intoaccount that packets may be lost in the network, and thus multiplekeepalives must be sent within the estimated shortest period in whichNATs may forget the mapping. The appropriate frequency depends on boththe period the mappings are kept cached and on the packet lossprobability of the network; optimal frequency values for various contextmay be found through experimenting.

Keepalive packets do not need to contain any meaningful informationother than the necessary headers that are equal to the data packetheaders to ensure that the keepalive packets will be handled exactly inthe same way as the actual data packets. A keepalive packet may containan indicator that identifies it as a keepalive packet and not a datapacket; however it may also be determined that all packets that do notcontain meaningful payload information are interpreted to be keepalivepackets. In FIG. 3 the transmission of keepalive packets isschematically illustrated by block 306 and the reception and discardingof them is schematically illustrated by block 307. It should be notedthat the use of keepalive packets is not needed at all if actual datapackets are transmitted frequently enough and/or the connection is toremain valid only for such a short time (e.g. a few seconds) that it isimprobable that any intermediate device would delete the mappinginformation from its cache. Keepalive packets need to be transmitted inone direction only, although they may be transmitted alsobidirectionally; the drawback resulting from their bidirectionaltransmission is the resulting increase in unnecessary network traffic.The invention does not limit the direction(s) in which keepalive packets(if any) are transmitted.

FIG. 5 is a simplified block diagram of a network device 500 that canact as the Initiator or the Responder according to the method ofproviding secure communications over network address translations inaccordance with the invention. Network interface 501 connects thenetwork device 500 physically to the network. Address management block502 keeps track of the correct network addresses, port numbers and otheressential public identification information of both the network device500 itself and its peer (not shown). IKE block 503 is responsible forthe key management process and other activities related to the exchangeof secret information.

Encryption/decryption block 504 implements the encryption and decryptionof data once the secret key has been obtained by the IKE block 503.Compensation block 505 is used to compensate for the permissibletransformations in the transmitted and/or received packets according tothe invention. Either one of blocks 504 and 505 may be used to transmit,receive and discard keepalive packets. Packet assembler/disassemblerblock 506 is the intermediator between blocks 502 to 505 and thephysical network interface 501. All blocks operate under the supervisionof a control block 507 which also takes care of the routing ofinformation between the other blocks and the rest of the network device,for example for displaying information to the user through a displayunit (not shown) and obtaining commands from the user through a keyboard(not shown). The blocks of FIG. 5 are most advantageously implemented aspre-programmed operational procedures of a microprocessor, whichimplementation is known as such to the person skilled in the art. Otherarrangements than that shown in FIG. 5 may as well be used to reduce theinvention into practice.

Even though the present invention was presented in the context of IKE,and tunneling using the IKE port, it should be understood that theinvention applies to also other analogous cases using different packetformatting methods, different negotiation details, a different keyexchange protocol, or a different security protocol. The invention mayalso be applicable to non-IP protocols with suitable characteristics.The invention is equally applicable to both IPv4 and IPv6 protocols. Theinvention is also intended to apply to future revisions of the IPSEC andIKE protocols.

It should also be understood that the invention can also be applied toprotocol translations in addition to just address translations. Adaptingthe present invention to protocol translations should be well within thecapabilities of a person skilled in the art given the description hereand the discussions regarding protocol translation in the former patentapplications of the same applicant mentioned above and incorporatedherein by reference.

List of References

All of the following references are hereby incorporated by reference.

BorellaLo99

-   M. Borella, J. Lo: Realm Specific IP: Protocol Specification,    draft-ietf-nat-rsip-protocol-00.txt, Work in Progress, Internet    Engineering Task Force, 1999.    HoldregeSrisuresh99-   M. Holdrege, P. Srisuresh: Protocol Complications with the IP    Network Address Translator (NAT),    draft-ietf-nat-protocol-complications-00.txt, Work in Progress,    Internet Engineering Task Force, 1999.    LoBorella99-   J. Lo, M. Borella: Real Specific IP: A Framework,    draft-ietf-nat-rsip-framework-00.txt, Work in Progress, Internet    Engineering Task Force, 1999.    Rekhter99-   Y. Rekhter: Implications of NATs on the TCP/IP architecture,    draft-ietf-nat-arch-implications-00.txt, Internet Engineering Task    Force, 1999.    RFC768-   J. Postel: User Datagram Protocol, RFC 768, Internet Engineering    Task Force, 1980.    RFC791-   J. Postel: Internet Protocol, RFC 791, Internet Engineering Task    Force, 1981.    RFC793-   J. Postel: Transmission Control Protocol, RFC 793, Internet    Engineering Task Force, 1981.    RFC959-   J. Postel, J. Reynolds: File Transfer Protocol, RFC 959, Internet    Engineering Task Force, 1985.    RFC1071-   R. Braden, D. Borman, C. Partridge: Computing the Internet checksum,    RFC 1071, Internet Engineering Task Force, 1988.    RFC1226-   B. Kantor: Internet protocol encapsulation of AX.25 frames, RFC    1226, Internet Engineering Task Force, 1991.    RFC1234-   D. Provan: Tunneling IPX traffic through IP networks, RFC 1234,    Internet Engineering Task Force, 1991.    RFC1241-   R. Woodburn, D. Mills: Scheme for an Internet encapsulation    protocol: Version 1, RFC 1241, Internet Engineering Task Force,    1991.    RFC1321-   R. Rivest: The MD5 message-digest algorithm, RFC 1321, Internet    Engineering Task Force, 1992.    RFC1326-   P. Tsuchiya: Mutual Encapsulation Considered Dangerous, RFC 1326,    Internet Engineering Task Force, 1992.    RFC1631-   K. Egevang, P. Francis: The IP Network Address Translator (NAT), RFC    1631, Internet Engineering Task Force, 1994.    RFC1701-   S. Hanks, T. U, D. Farinacci, P. Traina: Generic Routing    Encapsulation, RFC 1701, Internet Engineering Task Force, 1994.    RFC 1702-   S. Hanks, T. Li, D. Farinacci, P. Traina: Generic Routing    Encapsulation over IPv4 networks, RFC 1702, Internet Engineering    Task Force, 1994.    RFC1853-   W. Simpson: IP in IP Tunneling, RFC 1853, Internet Engineering Task    Force, 1995.    RFC2003-   C. Perkins: IP Encapsulation within IP, RFC 2003, Internet    Engineering Task Force, 1996.    RFC2004-   C. Perkins: IP Encapsulation within IP, RFC 2004, Internet    Engineering Task Force, 1996.    RFC2107-   K. Hamzeh: Ascend Tunnel Management Protocol, RFC 2107, Internet    Engineering Task Force, 1997.    RFC2344-   G. Montenegro: Reverse Tunneling for Mobile IP, FC 2344, Internet    Engineering Task Force, 1998.    RFC2391-   P. Srisuresh, D. Gan: Load Sharing using IP Network Address    Translation (LSNAT), RFC 2391, Internet Engineering Task Force,    1998.    RFC2401-   S. Kent, R. Atkinson: Security Architecture for the Internet    Protocol, RFC 2401, Internet Engineering Task Force, 1998.    RFC2402-   S. Kent, R. Atkinson: IP Authentication Header, RFC 2402, Internet    Engineering Task Force, 1998.    RFC2406-   S. Kent, R. Atkinson: IP Encapsulating Security Payload, RFC 2406,    Internet Engineering Task Force, 1998.    RFC2407-   D. Piper: The Internet IP Security Domain of Interpretation for    ISAKMP. RFC 2407, Internet Engineering Task Force, 1998.    RFC2408-   D. Maughan, M. Schertler, M. Schneider, J. Turner: Internet Security    Association and Key Management Protocol (ISAKMP), RFC 2408, Internet    Engineering Task Force, 1998.    RFC2409-   D. Hakins, D. Carrel: The Internet Key Exchange (IKE), RFC 2409,    Internet Engineering Task Force, 1998.    RFC2473-   A. Conta, S. Deering: Generic Packet Tunneling in IPv6    Specification, RFC 2473, Internet Engineering Task Force, 1998.    RFC2529-   B. Carpenter, C. Jung: Transmission of IPv6 over IPv4 Domains    without Explicit Tunnels, RFC 2529, Internet Engineering Task Force,    1999.    Srisuresh98Terminology-   P. Srisuresh: IP Network Address Translator (NAT) Terminology and    Considerations, draft-ietf-nat-terminology-01.txt, Work in Progress,    Internet Engineering Task Force, 1998.    Srisuresh98Security-   P. Srisuresh: Security Model for Network Address Translator (NAT)    Domains, draft-ietf-nat-security-01.txt, Work in Progress, Internet    Engineering Task Force, 1998.    SrisureshEgevang98-   P. Srisuresh, K. Egevang: Traditional IP Network Address Translator    (Traditional NAT), draft-ietf-nat-traditional-01.txt, Work in    Progress, Internet Engineering Task Force, 1998.    TYS99-   W. Teo, S. Yeow, R. Singh: IP Relocation through twice Network    Address Translators (RAT), draft-ietf-nat-rnat-00.txt, Work in    Progress, Internet Engineering Task Force, 1999.

1. A method for secure communications between a first device and asecond device in a data communications system, the method comprising:receiving by the second device from the first device an Internet KeyExchange standard (IKE) key management packet communicated according toUniform Datagram Protocol (UDP) as a part of IKE negotiations forestablishing secure communications between the first device and thesecond device in a packet-based data communications system where anetwork address translation is possible between the first device and thesecond device and the first device has set a destination port field inthe IKE key management packet to a standard port number for IKE;determining and saving by the second device a UDP source port of thereceived IKE key management packet; and sending a data packet using theUDP port number and Internet Protocol (IP) address of the first devicedetermined during the IKE negotiations, wherein the destination portfield of the data packet is set to the port number from which the firstdevice appears to be sending packets.
 2. The method according to claim1, wherein the first device comprises an initiator and the second devicecomprises a responder of the IKE negotiations.
 3. The method as claimedin claim 1, wherein a port number of a network address translator isused if the IKE key management packet was received via the networkaddress translator.
 4. The method as claimed in claim 1, comprisingdetecting a network address translator between the devices, and inresponse thereto using UDP encapsulation for encapsulating securitypayload.
 5. A method of establishing secure communications between afirst device and a second device in a data communications system, themethod comprising initiating negotiations in accordance with theInternet Key Exchange standard (IKE) by sending an IKE key managementpacket between the devices using Uniform Datagram Protocol (UDP) forestablishing secure communications between the devices in a packet-baseddata communications system where a network address translation ispossible between the devices, wherein a destination port field in theIKE key management packet is set to a standard port number for IKE;determining and saving by the first device an UDP source port of an IKEkey management packet received from the second device; and sending adata packet using the UDP port number and Internet Protocol (IP) addressof the second device determined during the IKE negotiations, wherein thedestination port field of the packet is set to the port number fromwhich the second network device appears to be sending packets.
 6. Themethod according to claim 5, wherein the first device comprises aninitiator and the second device comprises a responder of the IKEnegotiations.
 7. The method as claimed in claim 5, wherein a port numberof a network address translator is used if the IKE key management packetwas received via the network address translator.
 8. The method asclaimed in claim 5, comprising detecting a network address translatorbetween the devices, and in response thereto using UDP encapsulation forencapsulating security payload.
 9. An apparatus comprising: at least onememory including computer program code; and at least one processor,wherein the at least one memory and the computer program code areconfigured to, with the at least one processor, cause the apparatus atleast to process Internet Key Exchange standard (IKE) negotiationsbetween a first device and a second device for establishing securecommunications between the devices in a packet-based data communicationssystem where a network address translation is possible between thedevices, wherein an Internet Key Exchange standard (IKE) key managementpacket is received from the first device according to Uniform DatagramProtocol (UDP) as a part of IKE negotiations and the first device hasset a destination port field in the IKE key management packet to astandard port number for IKE to determine and save an UDP source port ofthe IKE key management packet; and send a data packet using the UDP portnumber and Internet Protocol (IP) address of the other device determinedduring the IKE negotiations, wherein the destination port field of thedata packet is set to the port number from which the other deviceappears to be sending packets.
 10. The apparatus according to claim 9,wherein the first device comprises an initiator and the second devicecomprises a responder of the IKE negotiations.
 11. The apparatus asclaimed in claim 9, configured to use a port number of a network addresstranslator in response to reception of the IKE key management packet viathe network address translator.
 12. The apparatus as claimed in claim 9,configured to detect a network address translator between the devices,and in response thereto cause use of UDP encapsulation for encapsulationof security payload.
 13. An apparatus comprising: at least one memoryincluding computer program code; and at least one processor, wherein theat least one memory and the computer program code are configured to,with the at least one processor, cause the apparatus at least toinitiate negotiations in accordance with the Internet Key Exchangestandard (IKE) by sending an IKE key management packet between a firstdevice and a second device using Uniform Datagram Protocol (UDP) forestablishing secure communications between the first device and thesecond device in a packet-based data communications system where anetwork address translation is possible between the first device and thesecond device, wherein a destination port field in the IKE keymanagement packet is set to a standard port number for IKE; determineand save an UDP source port of a IKE key management packet received fromthe second device; and send a data packet using the UDP port number andInternet Protocol (IP) address of the second device determined duringthe IKE negotiations, wherein the destination port field of the packetis set to the port number from which the second device appears to besending packets.
 14. The apparatus according to claim 13, wherein thefirst device comprises an initiator and the second device comprises aresponder of the IKE negotiations.
 15. The apparatus as claimed in claim13, configured to use a port number of a network address translator inresponse to reception of the IKE key management packet via the networkaddress translator.
 16. The method as claimed in claim 13, configured todetect a network address translator between the devices, and in responsethereto to cause use of UDP encapsulation for encapsulation of securitypayload.
 17. A non-transitory computer readable medium for securecommunications between devices in a data communications system,comprising program code for causing a processor to perform instructionsfor: communication of an Internet Key Exchange standard (IKE) keymanagement packet according to Uniform Datagram Protocol (UDP) as a partof IKE negotiations for establishing secure communications between thedevices in a packet-based data communications system where a networkaddress translation is possible between the devices and a destinationport field in the IKE key management packet is set to a standard portnumber for IKE; determining and saving of a UDP source port of an IKEkey management packet received from the other device; and sending of adata packet using the UDP port number and Internet Protocol (IP) addressdetermined during the IKE negotiations, wherein the destination portfield of the data packet is set to the port number from which the otherdevice appears to be sending packets.
 18. The non-transitory computerreadable medium as claimed in claim 17, comprising program code forcausing use of a port number of a network address translator in responseto reception of the IKE key management packet via the network addresstranslator.
 19. The non-transitory computer readable medium as claimedin claim 17, comprising program code for causing detection of a networkaddress translator between the devices, and in response thereto use ofUDP encapsulation for encapsulation of security payload.